Linux Privilege Escalation via Automated Script

We all know that, after compromising the victim’s machine we have a low-privileges shell that we want to escalate into a higher-privileged shell and this process is known as Privilege Escalation. Today in this article we will discuss what comes under privilege escalation and how an attacker can identify that low-privileges shell can be escalated to higher-privileged shell. But apart from it, there are some scripts for Linux that may come in useful when trying to escalate privileges on a target system. This is generally aimed at enumeration rather than specific vulnerabilities/exploits. This type of script could save your much time.

Table of Content

Introduction

Vectors of Privilege Escalation

LinuEnum

Linuxprivchecker

Linux Exploit Suggester 2

Bashark

BeRoot

Introduction

Basically privilege escalation is a phase that comes after the attacker has compromised the victim’s machine where he try to gather critical information related to system such as hidden password and weak configured services or applications and etc. All these information helps the attacker to make the post exploit against machine for getting higher-privileged shell.

Vectors of Privilege Escalation

OS Detail & Kernel Version

Any Vulnerable package installed or running

Files and Folders with Full Control or Modify Access

File with SUID Permissions

Mapped Drives (NFS)

Potentially Interesting Files

Environment Variable Path

Network Information (interfaces, arp, netstat)

Running Processes

Cronjobs

User’s Sudo Right

Wildcard Injection

There are several script use in Penetration testing for quickly identify potential privilege escalation vectors on Windows systems and today we are going to elaborate each script which is working smoothly.

LinuEnum

Scripted Local Linux Enumeration & Privilege Escalation Checks Shellscript that enumerates the system configuration and high-level summary of the checks/tasks performed by LinEnum.

Privileged access: Diagnose if the current user has sudo access without a password; whether the root’s home directory accessible.

Once you download this script, you can simply run it by tying ./LinEnum.sh on terminal. Hence it will dump all fetched data and system details.

Let’s Analysis Its result what is brings to us:

OS & Kernel Info: 4.15.0-36-generic, Ubuntu-16.04.1

Hostname: Ubuntu

Moreover…..

Super User Accounts: root, demo, hack, raaz

Sudo Rights User: Ignite, raj

Home Directories File Permission

Environment Information

And many more such things which comes under the Post exploitation.

Linuxprivchecker

Enumerates the system configuration and runs some privilege escalation checks as well. It is a python implementation to suggest exploits particular to the system that’s been taken under. Use wget to download the script from its source URL.

1

wgethttp://www.securitysift.com/download/linuxprivchecker.py

Now to use this script just type python linuxprivchecke.py on terminal and this will enumerate file and directory permissions/contents. This script works same as LinEnum and hunts details related to system network and user.

1

python linuxprivchecker.py

Let’s Analysis Its result what is brings to us.

OS & Kernel Info: 4.15.0-36-generic, Ubuntu-16.04.1

Hostname: Ubuntu

Network Info: Interface, Netstat

Writable Directory and Files for Users other than Root: /home/raj/script/shell.py

Checks if Root’s home folder is accessible

File having SUID/SGID Permission

For example: /bin/raj/asroot.sh which is a bash script with SUID Permission

Linux Exploit Suggester 2

Next-generation exploit suggester based on Linux_Exploit_Suggester. This program performs a ‘uname -r‘ to grab the Linux operating system release version, and returns a list of possible exploits.

This script is extremely useful for quickly finding privilege escalation vulnerabilities both in on-site and exam environments.

Key Improvements Include:

More exploits

Accurate wildcard matching. This expands the scope of searchable exploits.

Output colorization for easy viewing.

And more to come

1

2

git clonehttps://github.com/jondonas/linux-exploit-suggester-2.git

cd linux-exploit-suggester-2

You can use the ‘-k’ flag to manually enter a wildcard for the kernel/operating system release version.

1

./linux-exploit-suggester-2.pl-k3.5

Bashark

Bashark aids pentesters and security researchers during the post-exploitation phase of security audits.

Its Features

Single Bash script

Lightweight and fast

Multi-platform: Unix, OSX, Solaris etc.

No external dependencies

Immune to heuristic and behavioural analysis

Built-in aliases of often used shell commands

Extends system shell with post-exploitation oriented functionalities

Stealthy, with custom cleanup routine activated on exit

Easily extensible (add new commands by creating Bash functions)

Full tab completion

Execute following command to download it from the github:

1

2

git clonehttps://github.com/TheSecondSun/Bashark.git

cd Bashark

To execute the script you need to run following command:

1

2

source bashark.sh

help

The help command will let you know all available options provide by bashark for post exploitation.

With help of portscan option you can scan the internal network of the compromised machine.

To fetch all configuration file you can use getconf option. It will pull out all configuration file stored inside /etc directory. Similarly you can use getprem option to view all binaries files of the target‘s machine.

1

2

3

portscan<target’sIP>

getconf

getprem

BeRoot

BeRoot Project is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege. This tool does not realize any exploitation. It mains goal is not to realize a configuration assessment of the host (listing all services, all processes, all network connection, etc.) but to print only information that have been found as potential way to escalate our privilege.

1

2

3

git clonehttps://github.com/AlessandroZ/BeRoot.git

cd Linux

chmod777beroot.py

To execute the script you need to run following command:

1

./beroot.py

It will try to enumerate all possible loopholes which can lead to privilege Escalation, as you can observe the highlighted yellow color text represents weak configuration that can lead to root privilege escalation whereas the red color represent the technique that can be used to exploit.

It’s Functions:

Check Files Permissions

SUID bin

NFS root Squashing

Docker

Sudo rules

Kernel Exploit

Conclusion: Above executed script are available on github, you can easily download it from github. These all automated script try to identify the weak configuration that can lead to root privilege escalation.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Share this:

Like this:

LikeLoading...

ABOUT THE AUTHOR

Raj Chandel

Raj Chandel is a Skilled and Passionate IT Professional especially in IT-Hacking Industry. At present other than his name he can also be called as An Ethical Hacker, A Cyber Security Expert, A Penetration Tester. With years of quality Experience in IT and software industry